Debian Bug report logs - #620560
xmlsec security issue: arbitrary file overwriting CVE-2011-1425

version graph

Package: xmlsec1; Maintainer for xmlsec1 is John V. Belmonte <jbelmonte@debian.org>; Source for xmlsec1 is src:xmlsec1.

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Sat, 2 Apr 2011 19:12:01 UTC

Severity: serious

Tags: security

Merged with 621691

Fixed in versions xmlsec1/1.2.14-1.1, xmlsec1/1.2.9-5+lenny1, xmlsec1/1.2.14-1+squeeze1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, John V. Belmonte <jbelmonte@debian.org>:
Bug#620560; Package xmlsec1. (Sat, 02 Apr 2011 19:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to John V. Belmonte <jbelmonte@debian.org>. (Sat, 02 Apr 2011 19:12:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: submit@bugs.debian.org
Subject: xmlsec security issue: arbitrary file overwriting CVE-2011-1425
Date: Sat, 2 Apr 2011 21:00:52 +0200
[Message part 1 (text/plain, inline)]
Package: xmlsec1
Severity: serious
Tags: security

Hi,

A new version of xmlsec has been released which fixes a security issue:

"When using XML Security Library prior to 1.2.17, it is possible
to create or overwrite arbitrary files during signature verification,
if XSLT is present and enabled (which is the default mode). The attack
uses the libxslt extension "output" or its aliases, inside a
<ds:Transform> element."

See attached announcement email.


Cheers,
Thijs

[Attached Message (message/rfc822, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sat, 09 Apr 2011 16:32:19 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Sat, 09 Apr 2011 16:32:36 GMT) Full text and rfc822 format available.

Message #10 received at 620560-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 620560-close@bugs.debian.org
Subject: Bug#620560: fixed in xmlsec1 1.2.14-1.1
Date: Sat, 09 Apr 2011 16:23:40 +0000
Source: xmlsec1
Source-Version: 1.2.14-1.1

We believe that the bug you reported is fixed in the latest version of
xmlsec1, which is due to be installed in the Debian FTP archive:

libxmlsec1-dev_1.2.14-1.1_i386.deb
  to main/x/xmlsec1/libxmlsec1-dev_1.2.14-1.1_i386.deb
libxmlsec1-gnutls_1.2.14-1.1_i386.deb
  to main/x/xmlsec1/libxmlsec1-gnutls_1.2.14-1.1_i386.deb
libxmlsec1-nss_1.2.14-1.1_i386.deb
  to main/x/xmlsec1/libxmlsec1-nss_1.2.14-1.1_i386.deb
libxmlsec1-openssl_1.2.14-1.1_i386.deb
  to main/x/xmlsec1/libxmlsec1-openssl_1.2.14-1.1_i386.deb
libxmlsec1_1.2.14-1.1_i386.deb
  to main/x/xmlsec1/libxmlsec1_1.2.14-1.1_i386.deb
xmlsec1_1.2.14-1.1.diff.gz
  to main/x/xmlsec1/xmlsec1_1.2.14-1.1.diff.gz
xmlsec1_1.2.14-1.1.dsc
  to main/x/xmlsec1/xmlsec1_1.2.14-1.1.dsc
xmlsec1_1.2.14-1.1_i386.deb
  to main/x/xmlsec1/xmlsec1_1.2.14-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 620560@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated xmlsec1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 09 Apr 2011 17:40:24 +0200
Source: xmlsec1
Binary: libxmlsec1-dev libxmlsec1 libxmlsec1-openssl libxmlsec1-gnutls libxmlsec1-nss xmlsec1
Architecture: source i386
Version: 1.2.14-1.1
Distribution: unstable
Urgency: high
Maintainer: John V. Belmonte <jbelmonte@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 libxmlsec1 - XML security library
 libxmlsec1-dev - Development files for the XML security library
 libxmlsec1-gnutls - Gnutls engine for the XML security library
 libxmlsec1-nss - Nss engine for the XML security library
 libxmlsec1-openssl - Openssl engine for the XML security library
 xmlsec1    - XML security command line processor
Closes: 620560
Changes: 
 xmlsec1 (1.2.14-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Apply patch from upstream addressing arbitrary file overwrite
     (CVE-2011-1425, closes: #620560).
Checksums-Sha1: 
 5c3352935e6f4d0318dd27ecc4635eedef98eb98 1535 xmlsec1_1.2.14-1.1.dsc
 425d5c1a7bf144183cd03ebd8f6ffc9813747133 5904 xmlsec1_1.2.14-1.1.diff.gz
 3d5e6ce691ac282d3557d3775f4a14d34e50b7ad 851810 libxmlsec1-dev_1.2.14-1.1_i386.deb
 07045059b9d5150a1316cc010de7b02dfb72248e 138332 libxmlsec1_1.2.14-1.1_i386.deb
 323ea8483b23799bdbb8edba6e261fc76d1dc980 86278 libxmlsec1-openssl_1.2.14-1.1_i386.deb
 6e85d658a157d09d9e3dae433ed0ba4e1637c4a6 38184 libxmlsec1-gnutls_1.2.14-1.1_i386.deb
 e49ed97d808cc67773c5d4e977b9f564a48c74e6 80678 libxmlsec1-nss_1.2.14-1.1_i386.deb
 9e13f7763dd2dd1e8f9ac7d7b2ee71d24c48a710 43952 xmlsec1_1.2.14-1.1_i386.deb
Checksums-Sha256: 
 6b32a4d651c2777c1f45ba1a76e928261071cf2247712c212eb7b025cc80a56c 1535 xmlsec1_1.2.14-1.1.dsc
 0183e12da956a9f774366903bb13a902c47773178bf3cca17f5f8641b6daec48 5904 xmlsec1_1.2.14-1.1.diff.gz
 fa9e2c64c148e191a8dddfa69ecedc493df7c86ec7e6a03047e00739a90c486d 851810 libxmlsec1-dev_1.2.14-1.1_i386.deb
 a6e449e074e1ee7cb282190b22b0008f17d426702dd21180e5a191ad89c1c84b 138332 libxmlsec1_1.2.14-1.1_i386.deb
 eacf9915033b0bb8f7cadca143d5b4fc281280b65d230aaf90cec4b81c60044b 86278 libxmlsec1-openssl_1.2.14-1.1_i386.deb
 f47602939543eff356176718d854207a65f4e39434e0995a7ad8115c693be3f7 38184 libxmlsec1-gnutls_1.2.14-1.1_i386.deb
 d93a074c4e07bffdb078290ca7c67a55f5b6f5f993c02045bf2e16676ef6e886 80678 libxmlsec1-nss_1.2.14-1.1_i386.deb
 086a6003466c8c14883a396f8410f5137bb58fab6f36b1b0964bb0dbeb94b8ea 43952 xmlsec1_1.2.14-1.1_i386.deb
Files: 
 19e8b50dfe0724092390703f74bc2809 1535 text optional xmlsec1_1.2.14-1.1.dsc
 0034808cdfc09b82c32fc0208848ff4d 5904 text optional xmlsec1_1.2.14-1.1.diff.gz
 db93a61a49170bfd6a6f16b8c1d9bcb6 851810 libdevel optional libxmlsec1-dev_1.2.14-1.1_i386.deb
 5271a07bf37f2a8e88c74a738b853b64 138332 libs optional libxmlsec1_1.2.14-1.1_i386.deb
 494cb8b17994af50aafa956ddb617eaf 86278 libs optional libxmlsec1-openssl_1.2.14-1.1_i386.deb
 c434da0e4703407b9314aa29f32c30f2 38184 libs optional libxmlsec1-gnutls_1.2.14-1.1_i386.deb
 6417c2d42e00b61c097ef8c2f34fed88 80678 libs optional libxmlsec1-nss_1.2.14-1.1_i386.deb
 3b2abdf6c5433fed5a9a350d1a4fe936 43952 text optional xmlsec1_1.2.14-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJNoIARAAoJEOxfUAG2iX5772YIANFpGJy5ENY8CSM88tnvys/i
wBlHKP4T76u7txWX4iTgKUlWWzQjeNuU7LFartOL7mfLbkJIX5fBesVF768jp4I0
vTXKcwx57a12f/W31eYMF8JkT2Io024CXmgrFcC3YLrrLLMN4nZwglRpIYM/1aQG
aKdQH2FCJIOiksO8xazohfpRTmtT+cN1cvA8zUZv5d/MPdmyb9E0Orq7Xg4W8SVL
3fmXblzXagNgvVnN22XdpXKwGsr8IcLFc1jHHVQOp1UB5F/poqkGfFKisK3KQmNx
hM19ljdb9LL5CMRT+363ieesZBohbv4lUaYMQtVXNJ29PlqKqdEaga7ICe8tCjw=
=tZTv
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, John V. Belmonte <jbelmonte@debian.org>:
Bug#620560; Package xmlsec1. (Sat, 09 Apr 2011 19:40:37 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to John V. Belmonte <jbelmonte@debian.org>. (Sat, 09 Apr 2011 19:40:47 GMT) Full text and rfc822 format available.

Message #15 received at 620560@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 620560@bugs.debian.org
Subject: NMU 1.2.14-1.1 to fix this bug
Date: Sat, 9 Apr 2011 17:56:10 +0200
[Message part 1 (text/plain, inline)]
Hi,

I'll upload 1.2.14-1.1 to address this security issue according to attached 
patch.


Cheers,
Thijs
[CVE-2011-1425.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Forcibly Merged 620560 621691. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Sun, 10 Apr 2011 01:14:29 GMT) Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Tue, 19 Apr 2011 19:57:12 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Tue, 19 Apr 2011 19:57:12 GMT) Full text and rfc822 format available.

Message #22 received at 620560-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 620560-close@bugs.debian.org
Subject: Bug#620560: fixed in xmlsec1 1.2.9-5+lenny1
Date: Tue, 19 Apr 2011 19:55:19 +0000
Source: xmlsec1
Source-Version: 1.2.9-5+lenny1

We believe that the bug you reported is fixed in the latest version of
xmlsec1, which is due to be installed in the Debian FTP archive:

libxmlsec1-dev_1.2.9-5+lenny1_amd64.deb
  to main/x/xmlsec1/libxmlsec1-dev_1.2.9-5+lenny1_amd64.deb
libxmlsec1-gnutls_1.2.9-5+lenny1_amd64.deb
  to main/x/xmlsec1/libxmlsec1-gnutls_1.2.9-5+lenny1_amd64.deb
libxmlsec1-nss_1.2.9-5+lenny1_amd64.deb
  to main/x/xmlsec1/libxmlsec1-nss_1.2.9-5+lenny1_amd64.deb
libxmlsec1-openssl_1.2.9-5+lenny1_amd64.deb
  to main/x/xmlsec1/libxmlsec1-openssl_1.2.9-5+lenny1_amd64.deb
libxmlsec1_1.2.9-5+lenny1_amd64.deb
  to main/x/xmlsec1/libxmlsec1_1.2.9-5+lenny1_amd64.deb
xmlsec1_1.2.9-5+lenny1.diff.gz
  to main/x/xmlsec1/xmlsec1_1.2.9-5+lenny1.diff.gz
xmlsec1_1.2.9-5+lenny1.dsc
  to main/x/xmlsec1/xmlsec1_1.2.9-5+lenny1.dsc
xmlsec1_1.2.9-5+lenny1_amd64.deb
  to main/x/xmlsec1/xmlsec1_1.2.9-5+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 620560@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated xmlsec1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 13 Apr 2011 11:57:24 +0200
Source: xmlsec1
Binary: libxmlsec1-dev libxmlsec1 libxmlsec1-openssl libxmlsec1-gnutls libxmlsec1-nss xmlsec1
Architecture: source amd64
Version: 1.2.9-5+lenny1
Distribution: oldstable-security
Urgency: high
Maintainer: John V. Belmonte <jbelmonte@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 libxmlsec1 - XML security library
 libxmlsec1-dev - Development files for the XML security library
 libxmlsec1-gnutls - Gnutls engine for the XML security library
 libxmlsec1-nss - Nss engine for the XML security library
 libxmlsec1-openssl - Openssl engine for the XML security library
 xmlsec1    - XML security command line processor
Closes: 620560
Changes: 
 xmlsec1 (1.2.9-5+lenny1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Apply patch from upstream addressing arbitrary file overwrite
     (CVE-2011-1425, closes: #620560).
Checksums-Sha1: 
 5a984f9bdbacd80cd9a96c31100558f3deb7621b 1498 xmlsec1_1.2.9-5+lenny1.dsc
 a0f6615971198afa4bb4fc62306d10a1a16c6d13 1667363 xmlsec1_1.2.9.orig.tar.gz
 22778bc41ba385bb7f942324090ea860dd8fd8ac 5748 xmlsec1_1.2.9-5+lenny1.diff.gz
 541624180f7a59dbeaa1d8b7953b1a6b0e5ba740 889926 libxmlsec1-dev_1.2.9-5+lenny1_amd64.deb
 14af21a690c388f645165f59d0f282ae69128511 159340 libxmlsec1_1.2.9-5+lenny1_amd64.deb
 59ad8e70627accab4a506c035c3c9abcf050d04a 97852 libxmlsec1-openssl_1.2.9-5+lenny1_amd64.deb
 50305fafcc6a3ed4b9911e98528c94aebb91d96c 39850 libxmlsec1-gnutls_1.2.9-5+lenny1_amd64.deb
 25425dfae4ea3d2f75697ce8d3822de56fe09a2d 91314 libxmlsec1-nss_1.2.9-5+lenny1_amd64.deb
 ddf4e32a764afab8bda46535d827da09d92438a9 43940 xmlsec1_1.2.9-5+lenny1_amd64.deb
Checksums-Sha256: 
 c1d13b1bf2a95f5d7c3ec7d136efd5e4074235c3fd70ddae6042b4c92f3809b7 1498 xmlsec1_1.2.9-5+lenny1.dsc
 2ab5834d0d0488df9862ae9ccc6920a826584e2740dd0be1c8cc9d4f17249814 1667363 xmlsec1_1.2.9.orig.tar.gz
 c99e225f0df5fab03e0887299b8c1c682019171d9efb711295ced4d9e79734d8 5748 xmlsec1_1.2.9-5+lenny1.diff.gz
 a723db52017e7231d3b0c01f5e42ed497031b21a8b146ed130e5cfd9a45c68ff 889926 libxmlsec1-dev_1.2.9-5+lenny1_amd64.deb
 bb3e2dfc8a57277d85e1ce608f17456fc031ab151670f2a4ecea417cded8ddc4 159340 libxmlsec1_1.2.9-5+lenny1_amd64.deb
 80866dd1ae2458d716f2a7ba30f2596e4a8b983fb1b7e4914a454f8e90acc7f6 97852 libxmlsec1-openssl_1.2.9-5+lenny1_amd64.deb
 b27642ca46c90ec264f702618de729d836828cf2c11e5f4f9019c3aee465828b 39850 libxmlsec1-gnutls_1.2.9-5+lenny1_amd64.deb
 d5fd11b37501b64dd21740ba0aac1e9c335e1f0d5a36e567c7458f2649f18965 91314 libxmlsec1-nss_1.2.9-5+lenny1_amd64.deb
 aa334715b7eefaf4968f8e81763d3792b5969598b0eed0570772a8090adf8239 43940 xmlsec1_1.2.9-5+lenny1_amd64.deb
Files: 
 a59af43b54affbac5f92e702142e90fa 1498 text optional xmlsec1_1.2.9-5+lenny1.dsc
 b378a076708766966724aaeba09e4607 1667363 text optional xmlsec1_1.2.9.orig.tar.gz
 9e311d79ac58b34b0888d66923281894 5748 text optional xmlsec1_1.2.9-5+lenny1.diff.gz
 dcfa3a74d398f28897b74ad7e5b24c63 889926 libdevel optional libxmlsec1-dev_1.2.9-5+lenny1_amd64.deb
 929a9864554be071822f15f2539dc851 159340 libs optional libxmlsec1_1.2.9-5+lenny1_amd64.deb
 94f33bc46467f7d9d2916ba937e64be1 97852 libs optional libxmlsec1-openssl_1.2.9-5+lenny1_amd64.deb
 485f673f5a6d25f990162ec09d40c532 39850 libs optional libxmlsec1-gnutls_1.2.9-5+lenny1_amd64.deb
 eab6d17ea16aef7e1fea74bf56ef8200 91314 libs optional libxmlsec1-nss_1.2.9-5+lenny1_amd64.deb
 3b04dbe298500b420e55b1321256c8f7 43940 text optional xmlsec1_1.2.9-5+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJNpXagAAoJEOxfUAG2iX578rwIAMSU2oksf/+CRsT7uVnDPd6V
pJm3vrbF58zPJCuojL08Gm7bglGd6L8ruAgt5wKi/8KHqCr6b3QRVZHzWk56GnSO
6c1xtBrxTfIhy0Qzb9KV578TMNUkSuf2I/avmp848saaoCsL1NydfOFq/B3WAerL
3e3bEs+rHsiIfW7HBnuCd3P/ts1WxK19xacavzkp0CfZ6I6F45lkUVG+Nf9yJBH5
tyKSMf/Hl6WbpEe9Vxln1J99dLxdcuz6v5OHw1no8S8MicJypknAkpWh7IPpCvq8
cuUVcnWifbWSrohF6xIlgYZYUC0ixTKMcVPLBe7+h6536C2mDBPMKt8RuiZxlow=
=6j9O
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Tue, 19 Apr 2011 19:57:13 GMT) Full text and rfc822 format available.

Notification sent to Paul Szabo <paul.szabo@sydney.edu.au>:
Bug acknowledged by developer. (Tue, 19 Apr 2011 19:57:13 GMT) Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sat, 04 Jun 2011 14:03:06 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Sat, 04 Jun 2011 14:03:06 GMT) Full text and rfc822 format available.

Message #32 received at 620560-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 620560-close@bugs.debian.org
Subject: Bug#620560: fixed in xmlsec1 1.2.14-1+squeeze1
Date: Sat, 04 Jun 2011 14:00:32 +0000
Source: xmlsec1
Source-Version: 1.2.14-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
xmlsec1, which is due to be installed in the Debian FTP archive:

libxmlsec1-dev_1.2.14-1+squeeze1_amd64.deb
  to main/x/xmlsec1/libxmlsec1-dev_1.2.14-1+squeeze1_amd64.deb
libxmlsec1-gnutls_1.2.14-1+squeeze1_amd64.deb
  to main/x/xmlsec1/libxmlsec1-gnutls_1.2.14-1+squeeze1_amd64.deb
libxmlsec1-nss_1.2.14-1+squeeze1_amd64.deb
  to main/x/xmlsec1/libxmlsec1-nss_1.2.14-1+squeeze1_amd64.deb
libxmlsec1-openssl_1.2.14-1+squeeze1_amd64.deb
  to main/x/xmlsec1/libxmlsec1-openssl_1.2.14-1+squeeze1_amd64.deb
libxmlsec1_1.2.14-1+squeeze1_amd64.deb
  to main/x/xmlsec1/libxmlsec1_1.2.14-1+squeeze1_amd64.deb
xmlsec1_1.2.14-1+squeeze1.diff.gz
  to main/x/xmlsec1/xmlsec1_1.2.14-1+squeeze1.diff.gz
xmlsec1_1.2.14-1+squeeze1.dsc
  to main/x/xmlsec1/xmlsec1_1.2.14-1+squeeze1.dsc
xmlsec1_1.2.14-1+squeeze1_amd64.deb
  to main/x/xmlsec1/xmlsec1_1.2.14-1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 620560@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated xmlsec1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 13 Apr 2011 08:23:07 +0200
Source: xmlsec1
Binary: libxmlsec1-dev libxmlsec1 libxmlsec1-openssl libxmlsec1-gnutls libxmlsec1-nss xmlsec1
Architecture: source amd64
Version: 1.2.14-1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: John V. Belmonte <jbelmonte@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 libxmlsec1 - XML security library
 libxmlsec1-dev - Development files for the XML security library
 libxmlsec1-gnutls - Gnutls engine for the XML security library
 libxmlsec1-nss - Nss engine for the XML security library
 libxmlsec1-openssl - Openssl engine for the XML security library
 xmlsec1    - XML security command line processor
Closes: 620560
Changes: 
 xmlsec1 (1.2.14-1+squeeze1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Apply patch from upstream addressing arbitrary file overwrite
     (CVE-2011-1425, closes: #620560).
Checksums-Sha1: 
 4bedfffe1d83268932b5ab1e4231bbbd421ef08f 1563 xmlsec1_1.2.14-1+squeeze1.dsc
 8f949ae74a6d66278a595bd063f13e0ad196d14a 1652670 xmlsec1_1.2.14.orig.tar.gz
 7b341af5f6fd7f8a12657cacc30395c68dc50030 5946 xmlsec1_1.2.14-1+squeeze1.diff.gz
 76a3d8dd1762e9c52d9be564d2a8b90b5b34e466 877534 libxmlsec1-dev_1.2.14-1+squeeze1_amd64.deb
 de56887396f18c08840c2c0739c882c70a9faeb6 163868 libxmlsec1_1.2.14-1+squeeze1_amd64.deb
 d7ffefa49af300c84d1aa6189396a7b48f7bda07 100844 libxmlsec1-openssl_1.2.14-1+squeeze1_amd64.deb
 1ca28d5f3e1eac6ad2e13d478f69f53ffb529105 41276 libxmlsec1-gnutls_1.2.14-1+squeeze1_amd64.deb
 ab07f67f0fe3e5b3fa99a0dbb2ce75151f38e73a 92754 libxmlsec1-nss_1.2.14-1+squeeze1_amd64.deb
 07c2e03166621a83ee00ab033e5d23b460dfce79 45338 xmlsec1_1.2.14-1+squeeze1_amd64.deb
Checksums-Sha256: 
 d6f1d49a66e99eb4a1d8524952a4dc4934e9d89a19b1e726546693c5c7008dfd 1563 xmlsec1_1.2.14-1+squeeze1.dsc
 390a5085651828b8fe12aa978b200f59b9155eedbb91a4be89bf7cf39eefdd4a 1652670 xmlsec1_1.2.14.orig.tar.gz
 a032576b2ebadfd4d67a5a0dd76f2e8a54766546be1e95c3b91380cf43f4a038 5946 xmlsec1_1.2.14-1+squeeze1.diff.gz
 14ad05ea0cad9a6dee349ff3bfb71684ed9cdd0d9f24519bb8d5cf3ab2474e40 877534 libxmlsec1-dev_1.2.14-1+squeeze1_amd64.deb
 8dd9939b766f475e9a81bc5f032aae733fbbff90aad5b29abb15361b644415cf 163868 libxmlsec1_1.2.14-1+squeeze1_amd64.deb
 a60a4476a3f33878169350a54ff004dd33ab6c9d9d02034096ebf80ffd572053 100844 libxmlsec1-openssl_1.2.14-1+squeeze1_amd64.deb
 c35030e95ab02c52d20adb0d13303e1078b1e33dc23e1486cdc488c14a64ee05 41276 libxmlsec1-gnutls_1.2.14-1+squeeze1_amd64.deb
 68e5ceabc3f8171f2810a6221ade238486136ec7d6e3f9013f09dc40db0dbfa8 92754 libxmlsec1-nss_1.2.14-1+squeeze1_amd64.deb
 83f0689fae69a558017aa3452c20240757ee91888efe5ff75daba4d4d573d957 45338 xmlsec1_1.2.14-1+squeeze1_amd64.deb
Files: 
 fb8f8269cfe5802a11aa71622852fbd4 1563 text optional xmlsec1_1.2.14-1+squeeze1.dsc
 1f24ab1d39f4a51faf22244c94a6203f 1652670 text optional xmlsec1_1.2.14.orig.tar.gz
 02f73ed6f0a7069f177724d60471c963 5946 text optional xmlsec1_1.2.14-1+squeeze1.diff.gz
 b76adaff3287d93c3b36eeab64fa2ea1 877534 libdevel optional libxmlsec1-dev_1.2.14-1+squeeze1_amd64.deb
 1187e5e8f7032f1c87377bed5b615434 163868 libs optional libxmlsec1_1.2.14-1+squeeze1_amd64.deb
 071d5074847ab284cab9ebe43d2e2daa 100844 libs optional libxmlsec1-openssl_1.2.14-1+squeeze1_amd64.deb
 eb3f7849bbc453082d34d2daf3858e14 41276 libs optional libxmlsec1-gnutls_1.2.14-1+squeeze1_amd64.deb
 8c72d142f310cc914e7ac5a2d3dc3b60 92754 libs optional libxmlsec1-nss_1.2.14-1+squeeze1_amd64.deb
 96b9c501a5a90575773cc49c08aa41f2 45338 text optional xmlsec1_1.2.14-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJNpUOvAAoJEOxfUAG2iX57zMQH/35jsiv9qfVV+6DROWovWnBD
g5c+Bh5JzdIktLjuY0XnkFTGhLK9315awR2hXjWjYPMSmPdPS86nLZMoO2gVynWm
TBJfk2ueDrxg7CUlEpO6TFG/OdhihD31GPl7kRnDAffn7wKnSfdWv8lpKIVovawO
llvhScSfojzvFVaWC9kkqvFJV6WjPLKQ/HfDERHMq/1uO53q0cTKW64yAAMy8n4M
45Xij2VgIvMA4rMG69Ps1Oosg7rWW/4v3yTPNowr+Am72j373Ht5x/9MQNzrupuV
KBcQTrakyXspYa77Ry6+nNiSD2ipQmGWxOujMrN4SqnNef0sIpV+MDzb6G3SN0A=
=tJ58
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sat, 04 Jun 2011 14:03:07 GMT) Full text and rfc822 format available.

Notification sent to Paul Szabo <paul.szabo@sydney.edu.au>:
Bug acknowledged by developer. (Sat, 04 Jun 2011 14:03:07 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 04 Jul 2011 07:34:03 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 16:52:30 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.